Welcome!

Cloud Security Authors: Pat Romanski, Rishi Bhargava, Jim Hansen, Shelly Palmer, Allwyn Sequeira

Related Topics: @CloudExpo, Cloud Security, Government Cloud

@CloudExpo: Blog Feed Post

The Cloud and Cybersecurity

The cloud-first policy and the incremental approach to cloud adoption will make IT reform real

As part of federal CIO Vivek Kundra’s 25-point plan to reform federal IT management announced last December, federal agencies must adopt a “cloud-first” policy that requires them to move three applications to the “cloud” over the next 12 to 18 months. Agencies must identify the three “must move” services within three months, move one of those services to the cloud within 12 months and the remaining two within 10 months.

This cloud-first policy and the incremental approach to cloud adoption will make IT reform real and should result in huge (30-50%) savings in federal IT budgets. One specific and measurable goal laid out in the plan calls for a reduction in government data centers from the current 2,094 number to fewer than 800 by 2015. Already 50 percent of government agencies are moving to private clouds but to realize the full potential of the cloud, the government needs to move from many small clouds to fewer large, shared clouds. Of course, federal acquisition policies and authorities must be modified before agencies can fully embrace this strategy. The Federal Risk and Authorization Management Program (FedRAMP) begins to address this issue.

FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to “approve once, and use often” by ensuring multiple agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages.

There are still a lot of challenges that federal agencies need to work out with the cloud–data sovereignty, privacy and security, funding models, etc–but it is clear that the cloud model will allow government to operate more efficiently and effectively. Nonetheless, there persists the nagging perception that the cloud is inherently unsafe. Government agencies are uncomfortable handing over control of their data to other agencies, vendors or third parties. They are right to be concerned; reported cyber attacks against federal systems increased by 39 percent during the last fiscal year when compared to the year before, says an annual report on agency implementation of the Federal Information Security Management Act (FISMA). The report–posted online last month by the Office of Management and Budget (FY2010 FISMA Report)–finds that Federal agencies reported 41,776 cyber incidents during fiscal 2010. In 2009, agencies reported close to 30,000 incidents.

Despite the grim outlook, we believe the security of the federal enterprise, as well as its functionality, can be significantly enhanced by smartly implementing cloud computing. The following are some key principles that can facilitate this:

  • The importance of mission-focused engineering. Private clouds inside the federal enterprise can enhance mission support, but mission-focused engineering should be a first step in this pursuit.
  • The continual need for security, including data confidentiality, integrity and availability. All federal computing approaches must be engineered to be in total consonance with IA guidelines to assure federal information, information systems and information infrastructure. Cloud Computing, when engineered right, makes dramatic, positive changes to the mission assurance posture of the federal enterprise. Cloud computing enables stronger end point security and better data protection. It also enables the use of thin clients and the many security benefits they provide. Identity management and encryption remain of critical importance.
  • The need for always instantaneously available backup of data in the cloud. Ensured availability under all circumstances is a key benefit of smart cloud computing approaches.
  • The continual need for open source and open standards. Most cloud infrastructure today is based on open source (Linux, Solaris, MySQL, Glassfish, Hadoop) and this positive trend will help in net centric approaches. According to the IDC Group, open source software (OSS) is “the most significant, all-encompassing and long-term trend that the software industry has seen since the early 1980′s” Gartner projects that by 2012, 90 percent of the world’s companies will be using open source software. This all indicates open source and open standards should be a key principle for federal cloud computing and other net centric approaches.
  • The continual need to evaluate both low barrier to entry and low barrier to exit. As approaches to cloud computing are evaluated, too frequently the cost of exiting an approach is not considered, resulting in lock-in into a capability that may soon be inefficient. Cloud computing capabilities should be adopted that do not result in lock-in.
  • The need for open standards. Cloud computing contributions to enhanced functionality for the federal workforce and increase interoperability as the code, API’s and interfaces for cloud computing are secure but are widely published for all participants to interface with. Federal involvement in open source and open standards communities should continue and be accelerated, since increasingly cloud computing open standards are being discussed and designed by open standards bodies like W3C, OASIS, IETF and the Liberty Alliance. Document and other formats used by federal cloud computing activities will be open and available for all authorized users on all devices.
  • The need to understand the cost of “private clouds”. For at least the near term, the federal government will remain a provider of “private cloud” capabilities where security dictates ownership levels of control over compute power. This fact means the federal enterprise must continually engineer for change and technology insertion, which underscores the need for low barriers to exist in design criteria.

Regarding security, cloud computing holds the potential to dramatically change the continuous loosing game of continual workstation patching and IT device remediation by reducing the amount of applications on desktops and changing the nature of the desktop device from fat client to thin client. Devices can now have their entire memory and operating system flashed out to the device from private clouds and can have the power of the cloud presented to users as if the user is on an old fashioned desktop. This can be done in a way that never requires IT departments to visit the workstation to patch and configure it. And since all data is stored on private clouds it can be encrypted and access only provided to authorized users. No data can ever be lost when laptops are stolen and no data can ever be lost when desktops are attacked by unauthorized users. Security by well engineered use or cloud computing and thin clients or cloud computing and smart fat clients is dramatically enhanced.

This all leads to a key conclusion for the federal enterprise: as we move forward in cloud computing for support to the mission, the federal enterprise should continue to strengthen formal processes to ensure that lessons learned from both industry and the government’s own successful cloud computing initiatives are continually examined and broadly adopted across the enterprise

Crucial Point associates Dillon Behr, Alex Olesker, Bob Gourley and Chris Barnes contributed to this post.

This post sponsored by the Enterprise CIO Forum and HP.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder and partner at Cognitio Corp and publsher of CTOvision.com

@ThingsExpo Stories
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
SYS-CON Events announced today that SD Times | BZ Media has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. BZ Media LLC is a high-tech media company that produces technical conferences and expositions, and publishes a magazine, newsletters and websites in the software development, SharePoint, mobile development and commercial UAV markets.
"I think that everyone recognizes that for IoT to really realize its full potential and value that it is about creating ecosystems and marketplaces and that no single vendor is able to support what is required," explained Esmeralda Swartz, VP, Marketing Enterprise and Cloud at Ericsson, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
China Unicom exhibit at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. China United Network Communications Group Co. Ltd ("China Unicom") was officially established in 2009 on the basis of the merger of former China Netcom and former China Unicom. China Unicom mainly operates a full range of telecommunications services including mobile broadband (GSM, WCDMA, LTE FDD, TD-LTE), fixed-line broadband, ICT, data communica...
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and attent...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...